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A restriction on quantum secret sharing (QSS) that comes from the no-cloning theorem is that 
any pair of authorized sets in an access structure should overlap. From the viewpoint of application, 
this places an unnatural constraint on secret sharing. We present a generalization, called assisted 
QSS (AQSS), where access structures without pairwise overlap of authorized sets is permissible, 
provided some shares are withheld by the share dealer. We show that no more than A — 1 withheld 
shares are required, where A is the minimum number of partially linked classes among the authorized 
sets for the QSS. This is useful in QSS schemes where the share dealer is honest by definition and 
is equivalent to a secret reconstructor. Our result means that such applications of QSS need not be 
thwarted by the no-cloning theorem. 

PACS numbers: 03.67.Dd 



Suppose the president of a bank, Alice, wants to give access to a vault to two vice-presidents, Bob and Charlie, 
whom she does not entirely trust. Instead of giving the combination to any one of them, she may desire to distribute 
the information in such a way that no vice-president alone has any knowledge of the combination, but both of them 
can jointly determine the combination. Cryptography provides the answer to this question in the form of secret 
sharing |l| . In this scheme, some sensitive data is distributed among a number of parties such that certain authorized 
sets of parties can access the data, but no other combination of players. A particularly symmetric variety of secret 
splitting (sharing) is called a threshold scheme: in a (k,n) classical threshold scheme (CTS), the secret is split up 
into n pieces (shares), of which any k shares form a set authorized to reconstruct the secret, while any set of k — 1 or 
fewer shares has no information about the secret. Blakely 0] and Shamir Q showed that CTS's exist for all values of 
k and n with n > k. By concatenating threshold schemes, one can construct arbitrary access structures, subject only 
to the condition of monotonicity (ie., sets containing authorized sets should also be authorized) 0. Hillery et al. [5j 
and Karlsson et al. proposed methods for implementing CTSs that use quantum information to transmit shares 
securely in the presence of eavesdroppers. 

Subsequently, extending the above idea to the quantum case, Cleve, Gottesman and Lo using the notion of 
quantum erasure correction pi lldj. presented a (k,n) quantum threshold scheme (QTS) as a method to split up an 
unknown secret quantum state \S) into n pieces (shares) with the restriction that k > n/2— this inequality being 
needed to ensure that no two disjoint sets of players should be able to reconstruct the secret, in conformance with 
the quantum no-cloning theorem 0- QSS has been extended beyond QTS to general access structures 0,0, but 
here none of the authorized sets shall be mutually disjoint: given a QSS access structure T — {ati, • • • , a r } over N 
players, the no-cloning restriction entails that: 

a 3 n a k ^ cf> Vj, k. (1) 

Potential applications of QSS include creating joint checking accounts containing quantum money [lflj . or sharing hard- 
to-create ancilla states , or performing secure distributed quantum computation . A tri-qubit QSS scheme has 
recently been implemented [lfij . The chances of practical implementation of QSS are improved by employing equivalent 
schemes that maximize the proportion of classical information processing [lti Ht| . 

The requirement Eq. Q places a restriction quite unnatural to applications, where we may more likely expect 
to find groups of people with mutual trust within the group, and hardly any outside it. Our present work is aimed 
at studying a way to overcome this limitation. In particular, we show that allowing the dealer to withhold a small 
number of shares permits arbitrary access structures to be acceptable, subject only to monotonicity. This modified 
scheme we call "assisted QSS" (AQSS), the shares withheld by the dealer being called "resident shares". While more 
general than conventional QSS, AQSS is clearly not as general as classical secret sharing, since it requires shares given 
to the (non-dealer) players, called "player shares", to be combined with the resident shares for reconstructing the 
secret. 

Inspite of this limitation, the modified scheme can be useful in some applications of secret sharing, in particular, 
those in which the secret dealer is by definition a trusted party and where re-construction of the secret effectively 
occurs by re-convergence of shares at the dealer's station. In the bank example above, access is allowed by the 
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bank vault (which can be thought of effectively as the dealer, acting as the bank president's proxy) if the secret 
reconstructed from the vice-presidents' shares is the required password. The locker thus effectively serves as both 
the dealer and site of secret reconstruction. In AQSS, the player shares are combined with the resident share(s) to 
reconstruct the secret. Clearly, this leads to no loss of generality in this type of QSS. Where the secret dealer is not 
necessarily trusted, such as in multi-party secure computation (MPSC), AQSS may be less useful, though here again 
only a more detailed study can tell whether MPSC cannot be turned into a suitable variant of AQSS. 

It is assumed that all the n (quantum) shares are somehow divided among the N players. In an AQSS scheme, 
m < n shares are allowed to remain with the share dealer, as resident shares. In order that AQSS should depart 
minimally from conventional QSS, we further require that the number of resident shares should be the minimum 
possible such that a violation of Eq. JQ) can be accomodated. Thus, a conventional QSS access structure like 
r = {ABC, ADE, BDF}, which as such conforms to the no-cloning theorem, will require no share assistance. A 
conventional QSS scheme is a special case of AQSS, in which the set of resident shares is empty. We prove by direct 
construction in the following Theorem that, by allowing for non-zero resident shares, the restriction does not apply 
to AQSS. Therefore, with share assistance, the only restriction on the access structure T in AQSS is monotonicity, as 
with classical secret sharing. 

Given access structure T = {a±, ■ ■ ■ , a r }, we divide all authorized sets ay into partially linked classes, each of which 
is characterized by the following two properties: (a) Eq. (JTJ is satisfied if j, k belong to the same class; (b) for any 
two distinct classes, there is at least one pair j, k, where j belongs to one class and k to the other, such that Eq. (JTJ 
fails. 

A division of T into such classes we call as a partial link classification. The number of classes in a partial link 
classification gives its size. In general, neither the combinations nor size of partial link classifications are unique. We 
denote the size of the smallest partial link classification for a given T by A. If all authorized sets have mutual pairwise 
overlap then A = 1 and the single partially linked class is, uniquely, T itself, and AQSS reduces to conventional QSS. 
If none of the ay's have mutual pairwise overlap, then A = r and the r partially linked classes are, uniquely, each ay. 
If there are s disconnected groups of ay's (that is, Eq. JQ) fails for all pairs j, k, where j comes from one group and k 
from another) then A > s. The inequality arises from the fact that there may be more than one partially linked class 
within a disconnected group. 

The problem of obtaining a partial link classification can be analyzed graph theoretically. It is easy to visualize 
r as a graph G(V,E), composed of a set V of vertices and set E of edges. The vertices are the authorized sets, 
V = {ctj} = r and edges E = {{ctj, ctk)} correspond to pairs of sets that have pairwise overlap. Such a graph may 
be called an access structure graph (AS graph) for T. A partial link classification corresponds to a partitioning of 
the AS graph G such that each partition is a clique, i.e., a complete subgraph in G (A graph is called complete if its 
each vertex has an edge with its every other vertex). Figure ^a) depicts a conventional QSS, where T is partitioned 
into a single 5-clique. Figure ^b) depicts a more general case covered by AQSS, where T is partitioned into a pair of 
3-cliques or into a triple of 2-cliques. The problem of determining A is thus equivalent to the combinatorial problem 
of partitioning G into the minimum number of cliques. Here it is worth noting that many multi-party problems are 
amenable to combinatorial treatment. 

Before introducing the main Theorem, it is instructive to look at the classical situation. In our notation, single 
(double) parantheses indicate CTS (QTS). For a classical secret sharing scheme, suppose T = {ABC, AD, DEF}, 
which can be written in the normal form {(A AND B AND C) OR (A AND D) OR (D AND E AND F)}. The 
AND gate corresponds to a (|ay|, \ctj\) threshold scheme, while OR to a (1,2) threshold scheme. By concatenating 
these two layers, we get a construction for T. In the conventional QSS, the above fails for two reasons, both connected 
to the no-cloning theorem: the members of T should not be disjoint; and further there is no ((1, 2)) scheme. However, 
we can replace ((1, 2)) by a ((2, 3)) scheme, which corresponds to a majority function of OR. In general, we replace a 
((1, r)) scheme by a ((r, 2r — 1)) scheme, r of the shares correspond to individual authorized sets in T, shared within 
an Q,j according to a ( ( | j | , |ay|)) threshold scheme, and, recursively, the other r — 1 shares are shared according to 
a pure state scheme that implements a maximal structure r max that includes T (obtained by adding authorized sets 
to r until the complement of every unauthorized set is precisely an authorized set) [ll| . The Theorem below extends 
this idea to the situation where T does not satisfy Eq. . 

Theorem 1 Given an access structure V = {a±, ct2, • ■ ■ , ot r } with a minimum of A partially linked classes among a 
set of players V = {Pi, Pi, ■ ■ ■ ,Pn}, on assisted quantum secret sharing scheme exists iffT is monotone. It requires 
no more than A — 1 resident shares. 

Proof: We give a proof by construction. It is known that if A = 1, then there exists a conventional QSS to realize 
it Suppose A > 1. To implement T (which represents a monotonic access structure), the dealer first employs 

a ((A, 2A — 1)) majority function, assigning one share to each class. Recursively, each share is then subjected to a 
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FIG. 1: The vertices represent authorized sets, the edges depict a non-vanishing pairwise overlap between two authorized sets. 
Figure (a) represents a conventional QSS, where all sets have pairwise overlap, meaning that the AS graph is complete, so 
that A = 1. Figure (b) represents a situation where this does not hold and hence A > 1. The authorized sets are labelled 
{a, f3, x, e, 5, 4>}. The dashed line is a cut leading to two partially linked classes (the pair of 3-cliques, {a, /3, x} and {S, e, 0}), so 
that A = 2. The two dash-dotted lines are system of two cuts leading to three partially linked classes (the triple of 2-cliques, 
{X,S} and {e, </>}). 



conventional QSS within each class. The remaining A — 1 shares remain resident with the dealer. To reconstruct the 
secret, any authorized set can reconstruct the share assigned to its class, which, combined with the resident shares, 
is sufficient for the purpose. Clearly, since the necessity of the resident share by itself fulfils the no-cloning theorem, 
authorized sets are not required to be mutually overlapping. Thus monotonicity is the only constraint. □ 

Some corrolories of the theorem are worth noting. First is that the number (= A — 1) of resident shares is strictly 
less than the number (> N > X) of player shares. A share q is 'important' if there is an unauthorized set T such that 
TU {q} is authorized. From the fact the Theorem uses a threshold scheme (the ((A, 2A — 1)) scheme) in the first layer, 
it follows that all the resident shares are important. 

As an illustration of the Theorem, we consider the access structure T — {ABC, BD, EFG}, for which A = 2. In 
the first layer, a ((2,3)) scheme is employed to split \S) into three shares, with one share designated to the class 
C\ = {ABC, BD} and the other to C2 = {EFG}. The last remains with the dealer. In the second layer, the first 
share is split-shared among members of C\ according to a conventional QSS scheme. The second share is split-shared 
among players of C2 according to a ((3, 3)) scheme. Diagrammatically, this can be depicted as follows. 



((2,3)W 



(2) 



((3,3)) : A,B,C 
((2,3)): { ((2,2)): B,D 
\S>) 

((3,3)) : E,F,G 
k ((1,1)) : dealer 

Note that given any T, even with non-zero disconnected pieces (i.e., the AS graph is not connected), there is a 
trivial AQSS by simply adding a common player to all authorized sets, and designating him to be the dealer: eg., 
T = {ABC, DE, FGH} giving V = {ABCX, DEX, FGHX}, where shares to X would be designated as resident 
shares. Thereby, the structure T — r'|^, which denotes a restriction of T' to members other than X, is effectively 
realized among the players (not including the dealer). However, this case is excluded as a valid AQSS because the 
number of resultant resident shares are non-minimal, at least according to the recursive scheme outlined above. In all 
it would require 3 + 2x (> 3) shares, where x is the number of instances in which X appears in a maximal structure 
T' maK that includes V . More generally, the requirement is a minimum of r + (r — l)x > r resident shares, where r is 
the number of authorized sets in T. A better method is for the dealer to employ a pure state scheme that implements 
T' maK , retain all shares corresponding to X while discarding all those corresponding to sets in T' max — V . In all this 
would require 3 shares, or, in general, r shares. In contrast, according to the Theorem above, no more than A — 1 = 2 
resident shares are needed. Clearly, in general, A — 1 < r. These considerations suggest that A(r) — 1 is the minimal 
number of resident shares required to implement a QSS for Y. We conjecture that this is indeed the case. 
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